On January 15, 2015, the U.S. District Court for the Eastern District of Missouri ruled that fees, assessments and costs imposed by the credit card brands on Schnuck Markets, Inc. (Schnuck), a grocery chain estimated to have had 2.4 million customers' credit and debit card information compromised by a malware attack on its point-of-sale system, were contractually limited to $500,000. Schnuck Markets, Inc. v. First Data Merchant Data Services Corp and Citicorp Payment Services, Inc., No. 4:13-CV-2226 (E.D. Mo. January 15, 2015). In its opinion, the Court ruled that Schnuck's payments processor, First Data Merchant Services Corp. (First Data), and its acquiring bank, Citicorp Payment Services, Inc. (Citicorp), were contractually obligated for any assessments from the card brands in excess of $500,000 in connection with the security incident.
In November 2013, Schnuck sued First Data and Citicorp for breach of contract, claiming that the two companies were withholding more than the allowable amount of money from credit card transactions processed for the grocery chain. Schnuck argued that a limitation of liability clause in the contracts with both defendants capped their liability at $500,000. In response, First Data and Citicorp argued that an exception to the limitation of liability clause for "fees, fines or penalities [sic] by the Association" allowed them to withhold the amount they anticipated would be assessed by the card brands. The contract also contained an exception to the limitation of liability creating a separate $3 million limitation for fines for payment card industry data security standard (PCI-DSS) noncompliance. The amount being withheld by First Data and Citicorp was not disclosed. The parties each sought declaratory judgments from the District Court, interpreting the contract in their respective favors.
In its opinion, the Court noted that none of the parties raised the issue of the $3 million limitation pertaining to fines for PCI-DSS noncompliance. As this provision was not raised, the Court focused on the language in the limitation of liability applicable to “third party fees” or “fees, fines or penalties.” Focusing on the contract, the Court found that “third party fees” or “fees, fines or penalties” was not intended to encompass liability for issuer loses assessed by the credit card brands. Thus, Schnuck’s liability was limited to $500,000.
This decision should cause merchants, acquiring banks and payment processors to take a closer look at their service contracts to ensure that they clearly spell out the parties' responsibilities and obligations in the event of a security incident. As was the case with First Data and Citicorp, they could have a lot more at stake in a security incident than they originally believed. Additionally, small businesses may not have the leverage to modify these contracts as do their larger counterparts and should understand the potential implications these contract terms can have on their businesses.
The Schnuck decision reinforces the need for businesses entering into contracts for payment processing services to have these agreements carefully reviewed by an experienced data privacy and security attorney. In light of this decision, payment processors will likely be reviewing their services agreements to address the limitations of liability provisions and merchants may be seeing revised services agreements that purport to clarify the liability limitations provisions.